Private organisations must stop using NRIC numbers for authentication by end-2026
The Personal Data Protection Commission will step up enforcement from Jan 1, 2027, including issuing directions or imposing financial penalties for misuse.
Photo illustration of photocopying an NRIC. (File photo: Jeremy Long)
This audio is generated by an AI tool.
SINGAPORE: Private organisations have until Dec 31, 2026 to phase out the use of NRIC numbers for authentication, said the Personal Data Protection Commission (PDPC) on Monday (Feb 2).
Enforcement action against the misuse of NRIC numbers will be ramped up after that, PDPC added, as it moves to reduce the risk of unauthorised access to services and information.
In June 2025, PDPC and the Cyber Security Agency (CSA) issued a joint advisory to private sector organisations clarifying that NRIC numbers should not be misused for authentication.
Authentication refers to the process of proving that a person is who he claims to be, before granting him access to services or information intended only for him, said PDPC and CSA. This differs from identification, where identifiers such as names are used to tell people apart, they added.
Examples of misuse for authentication include using NRIC numbers - in full or part - as default passwords. This includes cases where the passwords are NRIC numbers on their own or together with other easily obtainable personal data, such as names and birthdates.
Such passwords should not be used to access digital documents or to allow access to an individual’s account, said PDPC.
“Government agencies have already moved away from using NRIC numbers for authentication, to reduce the risk of unauthorised access to services and information,” PDPC said.
"Organisations that use NRIC numbers for authentication to access personal data may be found to have breached the Personal Data Protection Act (PDPA) for failing to make reasonable security arrangements to protect personal data," said PDPC.
"From Jan 1, 2027, the PDPC will step up enforcement action against such misuse, including imposing directions or financial penalties for such breaches where appropriate.
Related:
The Infocomm Media Development Authority, Monetary Authority of Singapore and the Ministry of Health have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors on stopping the use of NRIC numbers for authentication.
Last January, Minister for Digital Development and Information Josephine Teo said in a ministerial statement that private sector organisations that were using NRIC numbers as authentication factors or default passwords should stop the practice as soon as possible.
She said at the time that those organisations which collect partial NRIC numbers to identify people can continue to do so, and that the ministry would only consider how the guidelines on NRIC number usage in the private sector should be updated after consulting the public.
It came after public backlash in December 2024 when the new Bizfile portal was launched by the Accounting and Corporate Regulatory Authority (ACRA), which published people’s full NRIC numbers and names for free in its search results.
